This patch will upgrade Sudo version 1.6.9 patchlevel 13 to Sudo version 1.6.9 patchlevel 14. To apply: $ cd sudo-1.6.9p13 $ patch -p1 < sudo-1.6.9p14.patch diff -ura sudo-1.6.9p13/CHANGES sudo-1.6.9p14/CHANGES --- sudo-1.6.9p13/CHANGES Tue Feb 19 10:47:44 2008 +++ sudo-1.6.9p14/CHANGES Wed Mar 5 07:28:18 2008 @@ -2059,3 +2059,17 @@ 648) Fixed a Kerberos 5 compilation problem with MIT Kerberos. Sudo 1.6.9p13 released. + +649) Fixed an invalid assumption in the PAM conversation function + introduced in version 1.6.9p9. The conversation function may + be called for non-password reading purposes as well. + +650) Fixed freeing an uninitialized pointer in -l mode, introduced in + version 1.6.9p13. + +651) Check /etc/sudoers after LDAP even if the user was found in LDAP. + This allows Defaults options in /etc/sudoers to take effect. + +652) Add missing checks for enforcing mode in SELinux RBAC mode. + +Sudo 1.6.9p14 released. diff -ura sudo-1.6.9p13/Makefile.in sudo-1.6.9p14/Makefile.in --- sudo-1.6.9p13/Makefile.in Tue Feb 19 13:13:10 2008 +++ sudo-1.6.9p14/Makefile.in Wed Mar 5 07:41:08 2008 @@ -20,7 +20,7 @@ # # @configure_input@ # -# $Sudo: Makefile.in,v 1.246.2.27 2008/02/19 18:13:10 millert Exp $ +# $Sudo: Makefile.in,v 1.246.2.28 2008/03/05 12:41:08 millert Exp $ # #### Start of system configuration section. #### @@ -132,7 +132,7 @@ LIBOBJS = @LIBOBJS@ @ALLOCA@ -VERSION = 1.6.9p13 +VERSION = 1.6.9p14 DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \ LICENSE Makefile.in PORTING README README.LDAP \ diff -ura sudo-1.6.9p13/auth/pam.c sudo-1.6.9p14/auth/pam.c --- sudo-1.6.9p13/auth/pam.c Sun Dec 2 12:13:52 2007 +++ sudo-1.6.9p14/auth/pam.c Fri Feb 22 15:19:45 2008 @@ -72,7 +72,7 @@ #endif #ifndef lint -__unused static const char rcsid[] = "$Sudo: pam.c,v 1.43.2.9 2007/12/02 17:13:52 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: pam.c,v 1.43.2.10 2008/02/22 20:19:45 millert Exp $"; #endif /* lint */ static int sudo_conv __P((int, PAM_CONST struct pam_message **, @@ -257,11 +257,6 @@ return(PAM_CONV_ERR); zero_bytes(*response, num_msg * sizeof(struct pam_response)); - /* Is the sudo prompt standard? (If so, we'l just use PAM's) */ - std_prompt = strncmp(def_prompt, "Password:", 9) == 0 && - (def_prompt[9] == '\0' || - (def_prompt[9] == ' ' && def_prompt[10] == '\0')); - for (pr = *response, pm = *msg, n = num_msg; n--; pr++, pm++) { flags = tgetpass_flags; switch (pm->msg_style) { @@ -269,6 +264,12 @@ SET(flags, TGP_ECHO); case PAM_PROMPT_ECHO_OFF: prompt = def_prompt; + + /* Is the sudo prompt standard? (If so, we'l just use PAM's) */ + std_prompt = strncmp(def_prompt, "Password:", 9) == 0 && + (def_prompt[9] == '\0' || + (def_prompt[9] == ' ' && def_prompt[10] == '\0')); + /* Only override PAM prompt if it matches /^Password: ?/ */ #if defined(PAM_TEXT_DOMAIN) && defined(HAVE_DGETTEXT) if (!def_passprompt_override && (std_prompt || diff -ura sudo-1.6.9p13/parse.yacc sudo-1.6.9p14/parse.yacc --- sudo-1.6.9p13/parse.yacc Mon Feb 11 09:49:28 2008 +++ sudo-1.6.9p14/parse.yacc Wed Feb 27 15:34:42 2008 @@ -70,7 +70,7 @@ #endif /* HAVE_LSEARCH */ #ifndef lint -__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.12 2008/02/11 14:49:28 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.13 2008/02/27 20:34:42 millert Exp $"; #endif /* lint */ /* @@ -1383,6 +1383,7 @@ } cm_list[cm_list_len].runas = cm_list[cm_list_len].cmnd = NULL; + cm_list[cm_list_len].type = cm_list[cm_list_len].role = NULL; cm_list[cm_list_len].nopasswd = FALSE; cm_list[cm_list_len].noexecve = FALSE; cm_list[cm_list_len].setenv = FALSE; diff -ura sudo-1.6.9p13/selinux.c sudo-1.6.9p14/selinux.c --- sudo-1.6.9p13/selinux.c Wed Feb 20 12:00:48 2008 +++ sudo-1.6.9p14/selinux.c Fri Feb 22 15:33:10 2008 @@ -50,7 +50,7 @@ #include "pathnames.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: selinux.c,v 1.2.2.3 2008/02/20 17:00:48 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: selinux.c,v 1.2.2.4 2008/02/22 20:33:10 millert Exp $"; #endif /* lint */ /* @@ -104,21 +104,16 @@ */ static int relabel_tty(const char *ttyn, security_context_t new_context, - security_context_t * tty_context, security_context_t * new_tty_context) + security_context_t * tty_context, security_context_t * new_tty_context, + int enforcing) { int fd; - int enforcing = security_getenforce(); security_context_t tty_con = NULL; security_context_t new_tty_con = NULL; if (!ttyn) return(0); - if (enforcing < 0) { - warnx("unable to determine enforcing mode."); - return(-1); - } - /* Re-open TTY descriptor */ fd = open(ttyn, O_RDWR | O_NONBLOCK); if (fd == -1) { @@ -239,7 +234,7 @@ security_context_t tty_context = NULL; security_context_t new_tty_context = NULL; pid_t childPid; - int ttyfd; + int enforcing, ttyfd; /* Must have a tty. */ if (user_ttypath == NULL || *user_ttypath == '\0') @@ -248,6 +243,11 @@ /* Store the caller's SID in old_context. */ if (getprevcon(&old_context)) err(EXIT_FAILURE, "failed to get old_context"); + + enforcing = security_getenforce(); + if (enforcing < 0) + err(EXIT_FAILURE, "unable to determine enforcing mode."); + #ifdef DEBUG warnx("your old context was %s", old_context); @@ -257,7 +257,7 @@ exit(EXIT_FAILURE); ttyfd = relabel_tty(user_ttypath, new_context, &tty_context, - &new_tty_context); + &new_tty_context, enforcing); if (ttyfd < 0) err(EXIT_FAILURE, "unable to setup tty context for %s", new_context); @@ -314,7 +314,14 @@ if (setexeccon(new_context)) { warn("unable to set exec context to %s", new_context); - goto error; + if (enforcing) + goto error; + } + + if (setkeycreatecon(new_context)) { + warn("unable to set key creation context to %s", new_context); + if (enforcing) + goto error; } #ifdef WITH_AUDIT diff -ura sudo-1.6.9p13/sudo.c sudo-1.6.9p14/sudo.c --- sudo-1.6.9p13/sudo.c Sat Feb 9 09:44:48 2008 +++ sudo-1.6.9p14/sudo.c Wed Mar 5 14:34:49 2008 @@ -105,7 +105,7 @@ #include "version.h" #ifndef lint -__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.36 2008/02/09 14:44:48 millert Exp $"; +__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.38 2008/03/05 19:34:49 millert Exp $"; #endif /* lint */ /* @@ -273,25 +273,22 @@ validated = sudo_ldap_check(pwflag); /* Skip reading /etc/sudoers if LDAP told us to */ - if (def_ignore_local_sudoers); /* skips */ - else if (ISSET(validated, VALIDATE_OK) && !printmatches); /* skips */ - else if (ISSET(validated, VALIDATE_OK) && printmatches) - { - check_sudoers(); /* check mode/owner on _PATH_SUDOERS */ + if (!def_ignore_local_sudoers) { + int v; - /* User is found in LDAP and we want a list of all sudo commands the - * user can do, so consult sudoers but throw away result. - */ - sudoers_lookup(pwflag); - } - else -#endif - { check_sudoers(); /* check mode/owner on _PATH_SUDOERS */ - /* Validate the user but don't search for pseudo-commands. */ - validated = sudoers_lookup(pwflag); + /* Local sudoers file overrides LDAP if we have a match. */ + v = sudoers_lookup(pwflag); + if (ISSET(v, VALIDATE_OK)) + validated = v; } +#else + check_sudoers(); /* check mode/owner on _PATH_SUDOERS */ + + /* Validate the user but don't search for pseudo-commands. */ + validated = sudoers_lookup(pwflag); +#endif if (safe_cmnd == NULL) safe_cmnd = estrdup(user_cmnd); diff -ura sudo-1.6.9p13/sudo.cat sudo-1.6.9p14/sudo.cat --- sudo-1.6.9p13/sudo.cat Tue Feb 19 13:22:29 2008 +++ sudo-1.6.9p14/sudo.cat Wed Mar 5 08:02:15 2008 @@ -61,7 +61,7 @@ -1.6.9p13 February 19, 2008 1 +1.6.9p14 February 19, 2008 1 @@ -127,7 +127,7 @@ -1.6.9p13 February 19, 2008 2 +1.6.9p14 February 19, 2008 2 @@ -193,7 +193,7 @@ -1.6.9p13 February 19, 2008 3 +1.6.9p14 February 19, 2008 3 @@ -259,7 +259,7 @@ -1.6.9p13 February 19, 2008 4 +1.6.9p14 February 19, 2008 4 @@ -325,7 +325,7 @@ -1.6.9p13 February 19, 2008 5 +1.6.9p14 February 19, 2008 5 @@ -391,7 +391,7 @@ -1.6.9p13 February 19, 2008 6 +1.6.9p14 February 19, 2008 6 @@ -457,7 +457,7 @@ -1.6.9p13 February 19, 2008 7 +1.6.9p14 February 19, 2008 7 @@ -523,7 +523,7 @@ -1.6.9p13 February 19, 2008 8 +1.6.9p14 February 19, 2008 8 @@ -589,6 +589,6 @@ -1.6.9p13 February 19, 2008 9 +1.6.9p14 February 19, 2008 9 diff -ura sudo-1.6.9p13/sudo.man.in sudo-1.6.9p14/sudo.man.in --- sudo-1.6.9p13/sudo.man.in Tue Feb 19 13:24:46 2008 +++ sudo-1.6.9p14/sudo.man.in Wed Mar 5 08:05:05 2008 @@ -18,7 +18,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: sudo.man.in,v 1.29.2.23 2008/02/19 18:24:46 millert Exp $ +.\" $Sudo: sudo.man.in,v 1.29.2.24 2008/03/05 13:05:05 millert Exp $ .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: @@ -150,7 +150,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "February 19, 2008" "1.6.9p13" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "February 19, 2008" "1.6.9p14" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" diff -ura sudo-1.6.9p13/sudo.tab.c sudo-1.6.9p14/sudo.tab.c --- sudo-1.6.9p13/sudo.tab.c Mon Feb 11 09:49:28 2008 +++ sudo-1.6.9p14/sudo.tab.c Wed Feb 27 15:34:42 2008 @@ -88,7 +88,7 @@ #endif /* HAVE_LSEARCH */ #ifndef lint -__unused static const char rcsid[] = "$Sudo: sudo.tab.c,v 1.76.2.13 2008/02/11 14:49:28 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: sudo.tab.c,v 1.76.2.14 2008/02/27 20:34:42 millert Exp $"; #endif /* lint */ /* @@ -1069,6 +1069,7 @@ } cm_list[cm_list_len].runas = cm_list[cm_list_len].cmnd = NULL; + cm_list[cm_list_len].type = cm_list[cm_list_len].role = NULL; cm_list[cm_list_len].nopasswd = FALSE; cm_list[cm_list_len].noexecve = FALSE; cm_list[cm_list_len].setenv = FALSE; @@ -1101,7 +1102,7 @@ if (printmatches == TRUE) expand_match_list(); } -#line 1053 "sudo.tab.c" +#line 1054 "sudo.tab.c" /* allocate initial stack or double stack size, up to YYMAXDEPTH */ #if defined(__cplusplus) || defined(__STDC__) static int yygrowstack(void) @@ -2196,7 +2197,7 @@ yyval.BOOLEAN = TRUE; } break; -#line 2148 "sudo.tab.c" +#line 2149 "sudo.tab.c" } yyssp -= yym; yystate = *yyssp; diff -ura sudo-1.6.9p13/sudoers.cat sudo-1.6.9p14/sudoers.cat --- sudo-1.6.9p13/sudoers.cat Tue Feb 19 13:22:29 2008 +++ sudo-1.6.9p14/sudoers.cat Wed Mar 5 08:02:15 2008 @@ -61,7 +61,7 @@ -1.6.9p13 February 19, 2008 1 +1.6.9p14 February 19, 2008 1 @@ -127,7 +127,7 @@ -1.6.9p13 February 19, 2008 2 +1.6.9p14 February 19, 2008 2 @@ -193,7 +193,7 @@ -1.6.9p13 February 19, 2008 3 +1.6.9p14 February 19, 2008 3 @@ -259,7 +259,7 @@ -1.6.9p13 February 19, 2008 4 +1.6.9p14 February 19, 2008 4 @@ -325,7 +325,7 @@ -1.6.9p13 February 19, 2008 5 +1.6.9p14 February 19, 2008 5 @@ -391,7 +391,7 @@ -1.6.9p13 February 19, 2008 6 +1.6.9p14 February 19, 2008 6 @@ -457,7 +457,7 @@ -1.6.9p13 February 19, 2008 7 +1.6.9p14 February 19, 2008 7 @@ -523,7 +523,7 @@ -1.6.9p13 February 19, 2008 8 +1.6.9p14 February 19, 2008 8 @@ -589,7 +589,7 @@ -1.6.9p13 February 19, 2008 9 +1.6.9p14 February 19, 2008 9 @@ -655,7 +655,7 @@ -1.6.9p13 February 19, 2008 10 +1.6.9p14 February 19, 2008 10 @@ -721,7 +721,7 @@ -1.6.9p13 February 19, 2008 11 +1.6.9p14 February 19, 2008 11 @@ -787,7 +787,7 @@ -1.6.9p13 February 19, 2008 12 +1.6.9p14 February 19, 2008 12 @@ -853,7 +853,7 @@ -1.6.9p13 February 19, 2008 13 +1.6.9p14 February 19, 2008 13 @@ -919,7 +919,7 @@ -1.6.9p13 February 19, 2008 14 +1.6.9p14 February 19, 2008 14 @@ -985,7 +985,7 @@ -1.6.9p13 February 19, 2008 15 +1.6.9p14 February 19, 2008 15 @@ -1051,7 +1051,7 @@ -1.6.9p13 February 19, 2008 16 +1.6.9p14 February 19, 2008 16 @@ -1117,7 +1117,7 @@ -1.6.9p13 February 19, 2008 17 +1.6.9p14 February 19, 2008 17 @@ -1183,7 +1183,7 @@ -1.6.9p13 February 19, 2008 18 +1.6.9p14 February 19, 2008 18 @@ -1249,7 +1249,7 @@ -1.6.9p13 February 19, 2008 19 +1.6.9p14 February 19, 2008 19 @@ -1315,7 +1315,7 @@ -1.6.9p13 February 19, 2008 20 +1.6.9p14 February 19, 2008 20 @@ -1381,7 +1381,7 @@ -1.6.9p13 February 19, 2008 21 +1.6.9p14 February 19, 2008 21 @@ -1447,7 +1447,7 @@ -1.6.9p13 February 19, 2008 22 +1.6.9p14 February 19, 2008 22 @@ -1513,7 +1513,7 @@ -1.6.9p13 February 19, 2008 23 +1.6.9p14 February 19, 2008 23 @@ -1579,6 +1579,6 @@ -1.6.9p13 February 19, 2008 24 +1.6.9p14 February 19, 2008 24 diff -ura sudo-1.6.9p13/sudoers.man.in sudo-1.6.9p14/sudoers.man.in --- sudo-1.6.9p13/sudoers.man.in Tue Feb 19 13:24:46 2008 +++ sudo-1.6.9p14/sudoers.man.in Wed Mar 5 08:05:05 2008 @@ -18,7 +18,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: sudoers.man.in,v 1.45.2.25 2008/02/19 18:24:46 millert Exp $ +.\" $Sudo: sudoers.man.in,v 1.45.2.26 2008/03/05 13:05:05 millert Exp $ .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: @@ -150,7 +150,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "February 19, 2008" "1.6.9p13" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "February 19, 2008" "1.6.9p14" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" diff -ura sudo-1.6.9p13/version.h sudo-1.6.9p14/version.h --- sudo-1.6.9p13/version.h Tue Feb 19 10:48:06 2008 +++ sudo-1.6.9p14/version.h Wed Mar 5 07:41:08 2008 @@ -17,12 +17,12 @@ * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. * - * $Sudo: version.h,v 1.66.2.16 2008/02/19 15:48:06 millert Exp $ + * $Sudo: version.h,v 1.66.2.17 2008/03/05 12:41:08 millert Exp $ */ #ifndef _SUDO_VERSION_H #define _SUDO_VERSION_H -static const char version[] = "1.6.9p13"; +static const char version[] = "1.6.9p14"; #endif /* _SUDO_VERSION_H */ diff -ura sudo-1.6.9p13/visudo.cat sudo-1.6.9p14/visudo.cat --- sudo-1.6.9p13/visudo.cat Tue Feb 19 13:22:29 2008 +++ sudo-1.6.9p14/visudo.cat Wed Mar 5 08:02:15 2008 @@ -61,7 +61,7 @@ -1.6.9p13 February 19, 2008 1 +1.6.9p14 February 19, 2008 1 @@ -127,7 +127,7 @@ -1.6.9p13 February 19, 2008 2 +1.6.9p14 February 19, 2008 2 @@ -193,6 +193,6 @@ -1.6.9p13 February 19, 2008 3 +1.6.9p14 February 19, 2008 3 diff -ura sudo-1.6.9p13/visudo.man.in sudo-1.6.9p14/visudo.man.in --- sudo-1.6.9p13/visudo.man.in Tue Feb 19 13:13:17 2008 +++ sudo-1.6.9p14/visudo.man.in Wed Mar 5 08:05:05 2008 @@ -17,7 +17,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" $Sudo: visudo.man.in,v 1.20.2.18 2008/02/19 18:13:17 millert Exp $ +.\" $Sudo: visudo.man.in,v 1.20.2.19 2008/03/05 13:05:05 millert Exp $ .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "February 19, 2008" "1.6.9p13" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "February 19, 2008" "1.6.9p14" "MAINTENANCE COMMANDS" .SH "NAME" visudo \- edit the sudoers file .SH "SYNOPSIS"